In December of 2018, the National Institute of Standards and Technology (NIST) published an update for the Department of Defense (DoD) Risk Management Framework (RMF). NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy is an update for next-generation RMF.
This publication comes in response to Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” in addition to three OMB documents:
- OMB Circular A-130: Managing Information as a Strategic Resource
- OMB Memorandum M-17-25: Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- OMB Memorandum M-19-03: Strengthening the Cybersecurity of Federal Agencies by Enhancing the High-Value Asset Program
With the publication of this revision, the NIST has taken its first step towards providing security and risk management with an integrated and flexible methodology. This is geared toward the improvement and simplification of RMF execution for organizations, allowing them to manage risk better while also increasing automation.
In this post, you’ll learn about these new updates and their impact.
What is the DoD RMF?
The DoD RMF defines the process for identifying, implementing, assessing and managing cybersecurity capabilities and services. The process is expressed as security controls. It also authorizes the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. The RMF offers a risk-based approach to the application of cybersecurity while also supporting cybersecurity integration in the beginning and throughout the system’s life cycle. It also encourages reciprocity and continuous monitoring of systems.
In addition to the government using RMF as a strategy, those contracting with the DoD also have to meet certain standards.
Why did the DoD RMF need revisions?
In the summer of 2018, the DoD began to preview that (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Beth Osborne. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/cLG9lFeDGUg/